]]>
2012-02-29T12:54:23Z2012-02-29T12:54:23Ztag:www.schneier.com,2012:/blog//2.4253-comment:711168Comment from Johannes on 2012-02-29Johannes
renoX: Despite being mentally ill, I'd say he was a professional as far as his terrorist activities go. He evaded detection for quite a long time, obtained firearms and bomb construction supplies legally without rousing suspicion and was apparently a meticulous planner.

The bomb also did go off, obviously, so instead of being one of the plenty would-be terrorists who build malfunctioning bombs or had plots that could never have worked, he was quite successful.

]]>
2012-02-29T09:54:48Z2012-02-29T09:54:48Ztag:www.schneier.com,2012:/blog//2.4253-comment:711144Comment from renoX on 2012-02-29renoX
"There are two basic kinds of terrorists – random idiots and professionals."

I'm not sure that this is a useful dichotomy, where do you classify Anders Behring Breivik?

Maybe I wasn't clear, but in my response to @Godel I was referring to a 'storage-only' use of cloud resources (backups and the like), for which encryption actually makes sense. You have already covered 'computing' use in your comment, so I just skipped this other part of the problem.

Amazon S3 you've mentioned is exactly that: storage service. I use it myself - encrypting data locally before upload. They offer various computing services as well.

]]>
2012-02-28T21:06:22Z2012-02-28T21:06:22Ztag:www.schneier.com,2012:/blog//2.4253-comment:710795Comment from NobodySpecial on 2012-02-28NobodySpecial
@Peter - the important difference is that the 'cloud' is not remote storage, it is remote processing ie. commodity computing

So you upload your data and run an app on Amazon S3 or some other cloud provider they own the CPU they can see your data. However you encrypt it they see exactly what your app sees.

There is a very interesting research area into what processing you can do on encrypted data without the algorithm having to decrypt it - the answer is not much!

When you encrypt your data sent to the cloud, you do not need to trust the provider not to misuse it; you still have to trust it not to loose it. You may try diversifying by uploading copies to several different providers, but it raises the costs. Even still, you often have to trust that all your copies do not in fact land in the same data center :-) There's a lot of reselling going in the business...

]]>
2012-02-28T17:43:04Z2012-02-28T17:43:04Ztag:www.schneier.com,2012:/blog//2.4253-comment:710557Comment from ferritecore on 2012-02-28ferritecore
All seven. Ther rest aren't facts.]]>
2012-02-28T12:27:01Z2012-02-28T12:27:01Ztag:www.schneier.com,2012:/blog//2.4253-comment:710513Comment from D0R on 2012-02-28D0R
No jokes. Now we really want to know which seven facts are true.]]>
2012-02-28T10:30:51Z2012-02-28T10:30:51Ztag:www.schneier.com,2012:/blog//2.4253-comment:710501Comment from pipedream on 2012-02-28pipedream
Distrusting Business:In Praise of Distrust by George Monbiot]]>
2012-02-28T09:49:24Z2012-02-28T09:49:24Ztag:www.schneier.com,2012:/blog//2.4253-comment:710491Comment from AC2 on 2012-02-28AC2
@William "there is so much incompetence, dishonesty, fraud, corruption, adulteration of food, etc., "

Good points. The trust issue in life is similar to the CompSci idea of "trusted computing base." To be secure, what does a given app, subject, process,etc. depend on? What can influence it? For average app, it might be protocols, middleware, OS, drivers, privileged software, firmware, hardware, etc. They all have to be securely implemented or app can be compromised.

Likewise, we can't be truly safe/secure unless everything we depend on for safety/security occurs in a safe/secure fashion. Most of it carries a little risk and plenty of options carry more than a little. An old adage says that you can combine things together & get an effect greater than the sum of its parts. Applying this to societal risk, the risk of one's lifestyle is at least as high as the sum of all the risks in all those we trust. Maybe. Hence, we must make tradeoffs & total risk mitigation is impossible. It's also stupid. ;)

]]>
2012-02-28T08:04:17Z2012-02-28T08:04:17Ztag:www.schneier.com,2012:/blog//2.4253-comment:710351Comment from NobodySpecial on 2012-02-27NobodySpecial
@Godel - how do you process encrypted data on a machine you don't trust?

If you don't trust Google/Apple/Facebook do you use them? What about Intel/Microsoft/Micron/your ISP/the maker of your network card?

It's hard to do much other than sit in a basement with your eyes closed if you trust no one!

]]>
2012-02-28T04:03:08Z2012-02-28T04:03:08Ztag:www.schneier.com,2012:/blog//2.4253-comment:710327Comment from William on 2012-02-27William
Regarding the importance of trust to social stability, I can certainly see the effects of a lack of trust on society here in China: there is so much incompetence, dishonesty, fraud, corruption, adulteration of food, etc., that people have a hard time trusting anyone aside from their own families and closest friends. There are huge costs to everyone resulting from the fact that you can't trust anything you haven't closely inspected.]]>
2012-02-28T03:29:11Z2012-02-28T03:29:11Ztag:www.schneier.com,2012:/blog//2.4253-comment:710318Comment from Magnum on 2012-02-27MagnumWhich seven facts are true?

The next seven you read.

]]>
2012-02-28T03:13:46Z2012-02-28T03:13:46Ztag:www.schneier.com,2012:/blog//2.4253-comment:710227Comment from Godel on 2012-02-27Godel
Bruce said:
"On the other hand, I have to trust my cloud providers. I have to trust that Facebook won't misuse the personal information it knows about me."

Hell no!

You either encrypt the information that you're uploading, or give them slightly false or misleading information, or don't upload anything valuable that others might have access to.

You certainly don't trust the likes of Facebook or Google or Apple.

Their EULAs tell us so!

]]>
2012-02-27T23:53:29Z2012-02-27T23:53:29Ztag:www.schneier.com,2012:/blog//2.4253-comment:710128Comment from vasiliy pupkin on 2012-02-27vasiliy pupkin
'TRUST, but VERIFY'. There were a lot of jokes on that old Russian statement.
Majority claims that trust excludes verification. I think that is just misunderstanding: trust intentions (that is what Bruce was talking about), but verify actions. That is why random penetration test, polygraph testing (that is just not scientific method, but still working with proper methodology), food sampling, etc. by independent tester provide some tools to keep intentions on a good side.
Regardless, according to Napoleon, there are two driving forces for humans: fear and personal interest.
Both are working in concert.
"If men were angels, no government would be necessary" (James Madison).
I think if (wo)men were angels, no verification would be necessary as well.
]]>
2012-02-27T20:30:41Z2012-02-27T20:30:41Ztag:www.schneier.com,2012:/blog//2.4253-comment:710124Comment from AlanS on 2012-02-27AlanS
Should I trust your book recommendations?

Benkler muddles Adam Smith. He writes about "Adam Smith's alternative solution to our selfishness--the invisible hand." The invisible hand as it is currently and commonly understood originates from an influential misreading (maybe willful misreading) of The Wealth of Nations by the economist Paul Samuelson. There is no theory of the invisible hand in The Wealth of Nations. The term invisible hand appears exactly once in Wealth, near the middle of the book. It is a metaphor used to describe the unintended consequences that result when investors choose domestic over foreign investment because of perceived risks and trust issues. Smith never used the term to describe the operation of markets and never articulated an invisible hand "solution".

Benkler goes on contrast what he perceives as Smith's view of human nature in The Wealth of Nations with the one articulated in his earlier book, The Theory of the Moral Sentiments. The contradiction between the two books only exists if you accept the Samuelson reading of Wealth. Smith gave no indication that he changed his mind between the two books and there is no credible evidence that he did so.

]]>
2012-02-27T20:24:37Z2012-02-27T20:24:37Ztag:www.schneier.com,2012:/blog//2.4253-comment:710107Comment from Arnie Lerma on 2012-02-27Arnie Lerma
TRUST is the finest form of data compression. If you TRUST another's judgement, you don't even have to know the details.]]>
2012-02-27T19:47:06Z2012-02-27T19:47:06Ztag:www.schneier.com,2012:/blog//2.4253-comment:710071Comment from matt on 2012-02-27matt
@Joe Buck: All seven.]]>
2012-02-27T19:03:09Z2012-02-27T19:03:09Ztag:www.schneier.com,2012:/blog//2.4253-comment:710065Comment from Joe Buck on 2012-02-27Joe Buck
Which seven facts are true?
]]>
2012-02-27T18:53:13Z2012-02-27T18:53:13Z